This forum is in readonly mode and serves as an archive of old information. All posting, registration and commenting abilities have been turned off. To get help, the Broadleaf team reguarly monitors the broadleaf-commerce tag on Stack Overflow so please ask your questions there.

Since this effects everyone currently running the demo site, I thought it would be a good idea to mention it here. The main cause for this is when you have assigned a static asset as the primary image for a product, and is manifested when you add that product to the cart and go to checkout. Common symptoms include:

Session being reset on an incorrect form submission on the checkout page, which will then invalidate your session (and cause CSRF exceptions if you try to resubmit the form)

SSL warnings when viewing /checkout as the static asset is being served over http (the browser first requests the image over https, but the application then redirects to actually serve the image over http)

The main cause of this is that there is no explicit mapping defined for the static assets, and thus the application treats them as though they should be served over http, based on this snipping in applicationContext-security (in site and combined):

<!-- All URLs not explicitly specified as https will be served under http --><sec:intercept-url pattern="/" requires-channel="http"/><sec:intercept-url pattern="/**" requires-channel="http"/>

The fix is to ensure that static assets are treated just like any other static resource. So in applicationContext-security.xml in site and applicationContext-security-combined.xml add the following lines underneath where the other asset paths are defined (like /img/** and /robots.txt):

This will prevent any static assets from going through Spring Security, and correctly serve the assets over http or https depending on what the browser is requesting. This has been updated on the Heat Clinic and it is recommended that you add this to your application ASAP.

The Broadleaf forums are being retired as a readonly archive of questions. For active discussions and questions, check out the broadleaf-commerce tag on Stack Overflow which is actively monitored by the Broadleaf team.

The Broadleaf forums are being retired as a readonly archive of questions. For active discussions and questions, check out the broadleaf-commerce tag on Stack Overflow which is actively monitored by the Broadleaf team.